Patch Analysis for October 2008

Wow, everything and everyone is affected by this month’s Patch Tuesday:

Domain controllers: 2 very important bulletins address vulnerabilities present in domain controllers. I recommend you immediately apply MS08-060 (Windows 2000 DCs only) and MS08-063 to your domain controllers after minimal or no testing.

Servers: In my chart below note that there are 4 bulletins impact primarily servers and that there is also a patch specific to HIS (mainframe/AS400 connectivity). In particular, take note of MS08-062 which is already being exploited in attacks. If you use Internet Printing Protocol patch such systems immediately.

Workstations and Terminal Servers: As usual most (8 out of 11) bulletins workstation centric. In particular watch out for MS08-058 which addresses some nasty IE bugs and MS08-061 both of whose exploit details are already public.

I’d also like to bring your attention to the point frequently made in MS security bulletins: “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.” Nice thought, but it’s hard take admin authority away end-users on their workstations.

Yesterday's "Out of Band" Security Bulletin (10/24/2008)

Yesterday's "Out of Band" Security BAs most of you know, MS released what they call an “out of band” security update for the Server Service that impacts all versions of Windows. Here are my quick thoughts on it.

Are you vulnerable?

If your Server Service is started (it is by default on both workstations and servers) and if ports 139 or 445 are exposed to a network with possibly malicious agents the answer is yes. Any network can potentially have malicious agents especially if someone incorporates this exploit into a worm.

So unless you have isolated networks limited to highly trusted users I’d recommend protecting your systems as soon as possible.

Is it necessary to install the patch?

There are some good workarounds in the bulletin but they won’t be practical for most servers since they disable or block access to the Server service. Functionality that could be impacted include:

Server (File and Print Sharing)
Applications that use SMB (CIFS)
Applications that use mailslots or named pipes (RPC over SMB)
Group Policy
Net Logon
Distributed File System (DFS)
Terminal Server Licensing
Print Spooler
Computer Browser
Remote Procedure Call Locator
Fax Service
Indexing Service
Performance Logs and Alerts
Systems Management Server
License Logging Service
So most of you will need to install the patch.

How urgent is this?

Urgent. The vulnerability is being exploited while I write this. An unsecured system I keep on the net for this purpose has had the Server server repeatedly crashed for the last couple days.

I hope this helps in your patch management efforts. Again I’ve updated the chart on my home page.

Thanks as always for reading and best wishes on security,
Randy Franklin Smith

MS08-067 could be Code Red 2008 (10/31/2008)

Since my first coverage of MS08-067 the situation has become more urgent as I thought may happen. Proof-of-concept code has been released and malware is starting to show up that exploits this vulnerability. Jason Miller (security data team manager at Shavlik) and I talked this morning and we agree this could well be the Code Red of 2008.

Don’t wait till next Patch Tuesday to update your systems. A lot can happen between now and then. If a worm is released that exploits this vulnerability with the Server service the results will be really bad. Firewalls aren’t enough since there are many other ways for worms to get on your network. For most servers there is no comprehensive, practical workaround – although with workstations you should seriously consider disabling the Server service – or if required for remote systems management – lock access to it down with IPSec policies that limit connections to system management servers and not the rest of your network.

"Really appreciate your patch observor. In the corporate
IT world, anything we can get our hands on that speeds the process of analyzing
threats and how they may or may not apply to our environments is a God-send.
Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the
table. There are so many sources of patch information which can be very specific
or surrounded by other stuff that it’s refreshing to get everything summarised
like this. The “Randy’s Recommendation” comment is useful starting point too.
Please keep up the good work."

- David A.

"Your Patch Observer is a very good tool in
making the decision whether to patch or not to patch. And also to patch asap or
to wait a while before patching. Also I do think the use of the table is realy
improving the readability of the provided information."